Re: fail-over pixs mac-address

rosario.garufi · ‎11-15-2004

When the secondary is active, the primary answers for the shared mac-address, this should not be the case. The switches get confused and intermitten problems occur. This only happens on the outside interface.

Any suggestions

scoclayton · ‎11-15-2004

There is no such thing as a 'shared mac-address' in relation to PIX failover. When a failover occurs, the stand-by PIX assumes the IP address as well as the MAC address from all interfaces on the failed primary box. The new primary PIX sends out a gratuitous ARP which updates the associated L2 devices with new CAM entries.

My guess in this case is that the switch on the outside is not properly accepting the gratuitous ARP from the PIX. Is there a difference between the switch on the outside of the PIX and the switches on the other interfaces that seem to be working well?

Scott

rosario.garufi · ‎11-16-2004

Thanks Scott,

Here is the topology, 2 pixs 2 outside switches 2 inside switches.

outside 2 2924 trunked

Inside 2 6500

Doing HA with cable only, The pixs flip-flop, the secondary pix's log says that it lost communication with the primary and is taking over.(1st Problem)

when the secondary takes over, the mac-address shows up on both the switches, (2nd Problem)

Kinda in a active active situation..

when the everything is normal Primary active seconday standby, the mac-address on shows on the active firewall switchport.

scoclayton · ‎11-16-2004

I'm not really sure what to say other than this should not be happening. I would suggest opening a TAC service request and having the experts take a look. Sorry I couldn't help more.

Scott